Hi there
I need to log src nat information about udp/tcp sessions leaving my routeros (a 750 rpouterboard equipped with 4.9 RoS).
On ehternet1 I have a public IP XX.YY.ZZ.LL
On ehternet2 I have a private IP 192.168.1.1 used in my private network 192.168.1.0/24 as default gateway to access the public Internet.
All outgoing traffic passing trough the router coming from proivate network is natted by masquerade (/ip nat add action=masquerade).
I need to log all new session/connection (both UDP/TCP). Morover I 'm interested to log the pair (natted srcIP,natted srcport)
Right now I tried to use action=log in both /ip filter and /ip nat subsystems without any success : on the log generated when new session are established, i can just see the pairs (srcIP,srcPort) before they are masqueraded. I mean that i have this log :
(192.168.1.X,Srcport) . But I 'd like to have this information in logs : (XX.YY.ZZ.LL,natted Srcport)
Is this available in some way under /ip fireall subsystem? or there is no chance to get it?
Many thanks for your attention
ciao
Hi there
I found something similar to my question here http://forum.mikrotik.com/t/how-to-log-nat-translation/10443/1
I can’t use torch because there is huge traffic on interfaces and morover ip accounting doesn’t help really: there are no port informations. any idea to suggest me?
thanks for your attention
ciao
You can place a log action on the forward chain in the firewall filter, but this will generate a TON of information as it will log each and every single packet that goes through the router. You can narrow it down, but a lot of this won’t be useful information to you probably.
You could also play around with the Packet Sniffer under tools to see if that will fit your needs. You can specify a subnet and interface, and store it locally to a set size or stream it to a remote server. I believe it makes it close to a wireshark file so you can review the packets later if you want. We haven’t played around with it much so I really can’t speak to how well it works. I also believe it stores the packet payloads by default as well which will add up very quickly for an entire network. You may be able to turn that off however and just store the headers.
http://wiki.mikrotik.com/wiki/Manual:Tools/Packet_Sniffer
The other option which will probably be the easiest and get you most of the information you want would be with IP flows (traffic flow on the MikroTik). This will send all of the traffic flow data to a flows collector for it to process. It will store what IP address and what ports someone went to, approximately when they went there, and how much traffic was passed between the server and host. The main trick for this is finding a collector you like for a reasonable price, or setting up an open source one yourself.
http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
Thanks Feklar but I have to save bandwidth so that work around doesn’t fit my case 
Anyway … I realized RouterOs has no way to perform what I need in elegant way. May be a future release will give the possibility to dump a complete packet in case of action log under filter submenu